diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index bb08c26a..d6a94aa7 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -26,6 +26,8 @@ jobs: url: https://pypi.org/p/sp-repo-review permissions: id-token: write + attestations: write + contents: read runs-on: ubuntu-latest if: github.event_name == 'release' && github.event.action == 'published' steps: @@ -34,4 +36,9 @@ jobs: name: Packages path: dist + - name: Generate artifact attestation for sdist and wheel + uses: actions/attest-build-provenance@v1.1.2 + with: + subject-path: "dist/*" + - uses: pypa/gh-action-pypi-publish@release/v1 diff --git a/docs/pages/guides/gha_pure.md b/docs/pages/guides/gha_pure.md index aea102fc..59e34258 100644 --- a/docs/pages/guides/gha_pure.md +++ b/docs/pages/guides/gha_pure.md @@ -143,6 +143,8 @@ publish: environment: pypi permissions: id-token: write + attestations: write + contents: read runs-on: ubuntu-latest if: github.event_name == 'release' && github.event.action == 'published' steps: @@ -151,6 +153,11 @@ publish: name: Packages path: dist + - name: Generate artifact attestation for sdist and wheel + uses: actions/attest-build-provenance@v1.1.2 + with: + subject-path: "dist/*" + - uses: pypa/gh-action-pypi-publish@release/v1 ``` @@ -162,6 +169,9 @@ allow pushes from GitHub. If it's the first time you've published a package, go to the [PyPI trusted publisher docs] for instructions on preparing PyPI to accept your initial package publish. +We are also generating artifact attestations, which can allow users to verify +that the artifacts were built on your actions. + {% endtab %} {% tab token Token %} {% raw %} @@ -230,6 +240,8 @@ jobs: environment: pypi permissions: id-token: write + attestations: write + contents: read runs-on: ubuntu-latest if: github.event_name == 'release' && github.event.action == 'published' @@ -239,6 +251,11 @@ jobs: name: Packages path: dist + - name: Generate artifact attestation for sdist and wheel + uses: actions/attest-build-provenance@v1.1.2 + with: + subject-path: "dist/*" + - uses: pypa/gh-action-pypi-publish@release/v1 ``` diff --git a/docs/pages/guides/gha_wheels.md b/docs/pages/guides/gha_wheels.md index 7f8e2fbc..0ab1837b 100644 --- a/docs/pages/guides/gha_wheels.md +++ b/docs/pages/guides/gha_wheels.md @@ -91,7 +91,7 @@ make_sdist: ``` You can instead install build via pip and use `python -m build --sdist`. You can -also pin the version with `pipx run --spec build==... build`. +also pin the version with `pipx run build==`. ## The core job (3 main OS's) @@ -150,6 +150,9 @@ you want a different supported image, set `CIBW_MANYLINUX_X86_64_IMAGE`, `CIBW_MANYLINUX_I686_IMAGE`, etc. If you always need a specific image, you can set that in the `pyproject.toml` file instead. +You can speed up the build by specifying the `build[uv]` build-frontend option +and pre-installing `uv` on the runners. + ## Publishing {% tabs %} {% tab oidc Trusted Publishing %} @@ -162,6 +165,9 @@ upload_all: environment: pypi permissions: id-token: write + attestations: write + contents: read + runs-on: ubuntu-latest if: github.event_name == 'release' && github.event.action == 'published' steps: @@ -171,6 +177,11 @@ upload_all: path: dist merge-multiple: true + - name: Generate artifact attestations + uses: actions/attest-build-provenance@v1.1.2 + with: + subject-path: "dist/*" + - uses: pypa/gh-action-pypi-publish@release/v1 ``` @@ -182,6 +193,9 @@ allow pushes from GitHub. If it's the first time you've published a package, go to the [PyPI trusted publisher docs] for instructions on preparing PyPI to accept your initial package publish. +We are also generating artifact attestations, which can allow users to verify +that the artifacts were built on your actions. + {% endtab %} {% tab token Token %} {% raw %} diff --git a/{{cookiecutter.project_name}}/.github/workflows/{% if cookiecutter.__type!='compiled' %}cd.yml{% endif %} b/{{cookiecutter.project_name}}/.github/workflows/{% if cookiecutter.__type!='compiled' %}cd.yml{% endif %} index 03753ab0..7f1648ca 100644 --- a/{{cookiecutter.project_name}}/.github/workflows/{% if cookiecutter.__type!='compiled' %}cd.yml{% endif %} +++ b/{{cookiecutter.project_name}}/.github/workflows/{% if cookiecutter.__type!='compiled' %}cd.yml{% endif %} @@ -37,6 +37,8 @@ jobs: environment: pypi permissions: id-token: write + attestations: write + contents: read runs-on: ubuntu-latest if: github.event_name == 'release' && github.event.action == 'published' @@ -46,6 +48,11 @@ jobs: name: Packages path: dist + - name: Generate artifact attestation for sdist and wheel + uses: actions/attest-build-provenance@v1.1.2 + with: + subject-path: "dist/*" + - uses: pypa/gh-action-pypi-publish@release/v1 with: # Remember to tell (test-)pypi about this repo before publishing diff --git a/{{cookiecutter.project_name}}/.github/workflows/{% if cookiecutter.__type=='compiled' %}cd.yml{% endif %} b/{{cookiecutter.project_name}}/.github/workflows/{% if cookiecutter.__type=='compiled' %}cd.yml{% endif %} index 3396137e..fc177b81 100644 --- a/{{cookiecutter.project_name}}/.github/workflows/{% if cookiecutter.__type=='compiled' %}cd.yml{% endif %} +++ b/{{cookiecutter.project_name}}/.github/workflows/{% if cookiecutter.__type=='compiled' %}cd.yml{% endif %} @@ -61,6 +61,8 @@ jobs: environment: pypi permissions: id-token: write + attestations: write + contents: read runs-on: ubuntu-latest if: github.event_name == 'release' && github.event.action == 'published' @@ -71,6 +73,11 @@ jobs: path: dist merge-multiple: true + - name: Generate artifact attestations + uses: actions/attest-build-provenance@v1.1.2 + with: + subject-path: "dist/*" + - uses: pypa/gh-action-pypi-publish@release/v1 with: # Remember to tell (test-)pypi about this repo before publishing